You know the feeling. A user has done something incredibly dumb. Like opening a strange attachment despite all the counter-phishing training you did last month. And your brain cells all scream at once, just one single word.

"Whhhyyyyyyyy?"

It's said that common sense isn't common. In IT, that seems even more true. I read a study recently that said one in two users click links sent to them by unknown senders via Facebook or E-mail.

What was worse? Even if subjects knew the risks involved from counter-phishing training, they still clicked on the links.

So here's the million dollar question. Is counter-phishing training the best solution for the problem?

Evidence Most Users Are Dum-Dums

So it seems users are suckered in no matter the medium. A joint study by the University of Illinois, the University of Michigan, and Google found nearly half of people would not just pick up strange USBs they found lying around—they'd plug them in, open the files inside and click on unfamiliar links.

This study involved dropping hundreds of USBs in different locations. The first drives were connected in less than six minutes, like cheese to mice. And USB drops are being used to scam people in Australia right now (which is where I'm from).

I look at my best friend's four year old using a tablet without trouble, and I wonder why in 2016 the gap between knowing how to use technology and the perils of said technology is so vast. And why people who have education still fall for these kinds of scams.

So I read another study
(my go-to solution). It explained some reasons they thought counter-phishing education could fail. Reasons included:

1. Even though users know there are risks, they don't link these risks to their own situation. In short, they don't believe it will happen to them.

2. While users can identify familiar risks, they have difficulties generalizing what they know and applying it to unfamiliar risks. E.g. They know e-mails can have bad attachments, but don't apply this logic to Facebook.

4. Since illegitimate e-mails are blocked by spam and anti-virus software, users place an unwarranted level of trust in e-mails they do receive when they slip through the net.

So Is It a Waste Of Time?

Well, not according to the guys who did the study I mentioned before. Thy said there was evidence well-designed user security education could be effective. Mainly using contextual training, embedded training, and web-based training materials.

However, to play devil's advocate, phishing risk is reduced by proper training, but the threat isn't entirely eliminated. And this year has seen a massive ransomware spike.

So is there a perfect way to deal with these pesky phishers, or are we stuck with having to drill in counter-phishing techniques into users heads and hope for the best?

I did this very exercise last month. Wrote and circulated a document (with lots of pretty pictures) in language that a child could understand regarding what Phishing is and how they can be targeted. 3 days after sending it, some sour faced brood mare decided to click on an unknown link in a PDF that was sent by client that had been compromised. Thankfully no impact on our systems.

Most individuals, given the appropriate information, will pursue a course of action that helps prevent security breaches. Most however is not all! Users are human, they are flawed! They (we) will always act outside the boundaries and sometimes common sense! They are also often careless and easily exploited.

So yes education is part of the solution but organizations need to also look to better protect their users - rather than blaming them for being human.

The only companies who have really put a stop to it are where senior management have got involved, identifying social engineering attacks is on staff personal yearly objectives, and HR deals with people who fail to comply.

0

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.